Disaster Recovery Planning vs. Disaster Recovery Plans

So often, when we are engaged to review existing business continuity and disaster recovery plans, we find volumes of “plans” with very important planning information but very little in the way of action plans for at-time-of-recovery activity.

By this, I mean, many “plans” include information discovered in the BIA and Risk Analyses.  There are tables and reports on what the impacts are for being down, what the requirements are in a recovery center, how many desks are needed in a recovery site, special equipment requirements, special forms, vital records listings and locations, what the critical applications are, RTO’s, RPO’s, vendor listings, employee listings, and on and on and on.

All of this information is CRITICAL INFORMATION for designing a recovery solution, but is of no real value at time of an incident.

At time of disaster, I need to know how to engage the plans and how to employ the capabilities that are provided –based on all that information listed above.

In my opinion, this information should be segregated.  When a business interruption event occurs, I do not care what the findings were in the BIA or RA – all I want to know is what is in place now, how do we get to it and what do we do when we get there.

I review many plans that pass the weight test but are so full of “noise” and so loaded with information that they become too bulky and are not usable as an action plan for what we do.

Sometimes it can be as simple as separating the two parts of the plan – many times, the “action plan” component is missing altogether.  This is sometimes especially true when a database software tool is used.  The database reports look so good and fill up so many pages, people think that that is the plan.  No, that is a collection of information needed to ensure we put the proper capability in place, but is not the action plan for how we employ that capability.

Practical, pragmatic, easy-to-use action plans are hard to come by, but, what I am most interested in finding when asked to review an organization’s level of response preparedness.

Do not confuse a compilation of information gathered in the planning process as being your disaster recovery plan.

Thank you for your input.